New pkg audit FNs
Steve Wills
swills at FreeBSD.org
Mon Oct 9 21:09:44 UTC 2017
Hi,
On 10/09/2017 16:34, Jan Beich wrote:
> Matthew Seaman <matthew at FreeBSD.org> writes:
>
>> On 09/10/2017 16:57, Roger Marquis wrote:
>>
>>> Can anyone say what mechanisms the ports-security team might have in
>>> place to monitor CVEs and port software versions?
I've been hacking at a prototype for scanning what I can find:
https://github.com/swills/nvd_to_new_vuxml
It's more of a proof of concept than anything. The entry for this issue
is still incomplete though, and the web page for it lists it as "waiting
for analysis":
https://nvd.nist.gov/vuln/detail/CVE-2017-12617
>>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>>> there's no mention of it in the vulnerability database The tomcat8
It looks like it's there to me:
https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=451185&r2=451415
https://www.vuxml.org/freebsd/c0dae634-4820-4505-850d-b1c975d0f67d.html
And added days ago.
>>> port's Makefile also still points to the older, vulnerable version.
True, the maintainer needs to update it. I've copied him on this message.
>>> Tomcat is one of those popular, internet-facing applications that sites
>>> need to check and/or update quickly when CVEs are released and most
>>> admins probably don't expect "pkg audit" to throw false negatives.
>>
>> Ports-secteam (and secteam, for that matter) will update VuXML when they
>> know about vulnerabilities that affect FreeBSD ports, however the usual
>> mechanism is that the port maintainer either updates VuXML themselves
>> directly or tells the appropriate people that there are vulnerabilities
>> that need to be recorded.
Correct, but it doesn't have to be the port maintainer, anyone can
submit a bug report with a patch to ports/security/vuxml/vuln.xml
> What happened to querying CVE database using CPE strings? ENOTIME is a
> common disease in volunteer projects, ports-secteam@ is no exception.
> Finding missing entries is trivial if one looks at Debian tracker.
> Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
> are fixed in the port.
>
> https://wiki.freebsd.org/Ports/CPE
Indeed, I've wanted to try matching up ports/packages to the CVE entries
by using CPE data. I will try to look at that again, but as always
patches welcome.
I'll try to add the missing tiff entries and any others anyone cares to
point out.
Steve
More information about the freebsd-ports
mailing list